[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal client for Windows
Am Sonntag, 28. Januar 2007 23:20 schrieb Michael B Allen:
> On Sun, 28 Jan 2007 19:51:20 +0100
>
> Stefan Gohmann <gohmann@univention.de> wrote:
> > Hi Henry,
> >
> > Am Freitag, 26. Januar 2007 20:22 schrieb Henry B. Hotz:
> > > I had an exchange with Jeffrey Altman on MIT's krbdev list where I
> > > worked through all the config items in Mozilla relatives to make a
> > > Windows client use the Kerberos libraries in KfW. You ought to be
> > > able to find it with Google. It works.
> >
> > that's very nice.
> >
> > > MS IE will always use the Microsoft kerberos implementation and the
> > > tickets in the LSA.
> >
> > Does that mean, it is not possible that the MS IE uses the ticket from
> > the Heimdal KDC?
>
> Not quite. IE could get a ticket from a Heimdal KDC but it would only
> do so by going through the Local Security Authoriy (LSA). Meaning,
> if you could run Heimdal client libs on a Windows client and the libs
> used some kind of ccache file, IE would not be able to use it. The
> Heimdal port would have use the credential cache associated with the
> logon session. Meaning it would have to have some LSA code to store and
> retrieve credentials (code that MIT has and could largely be copied).
>
> Personally however I don't understand why someone would want to run
> alternative Kerberos libraries on a Windows client. Unless perhaps you're
> porting some *nix software that uses the MIT/Heimdal API maybe.
Thanks for your answer. Maybe it helps, if I explan what I want to do.
I have a Linux server with Heimdal KDC, Samba3, Apache with mod_auth_kerb and
a Windows XP Client, which is member in the Samba3 domain.
After the user logon on the windows client the user should get a kerberos
ticket, so that he could do a single sign on to the Apache server with his
Internet Explorer. Do I have other options as using the KfW libraries?
Cheers
Stefan
> Mike
>
> > Cheers
> > Stefan
> >
> > > On Jan 21, 2007, at 10:11 PM, Stefan Gohmann wrote:
> > > > Am Sonntag, 14. Januar 2007 01:08 schrieb Phil Pennock:
> > > >> Myself, I don't have our Windows laptop use Kerberos to sign-in;
> > > >> instead, I want it to be able to get Kerberos credentials after
> > > >> sign-in
> > > >> before access services. For that, I use MIT Kerberos for Windows,
> > > >> which
> > > >> I can confirm works on XP Home and XP Pro with a Heimdal KDC
> > > >> (server).
> > > >> It works with Firefox and Thunderbird, with appropriate about:config
> > > >> tinkering, and with Mulberry (another free mail client).
> > > >
> > > > Is it possible, that the internet explorer also use these ticket?
> > > >
> > > > Cheers
> > > > Stefan
> > > >
> > > > --
> > > > Stefan Gohmann Entwicklung gohmann@univention.de
> > > > Univention GmbH Linux for your Business fon: +49 421 22 232-
> > > > 0 Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22
> > > > 232-99 http://www.univention.de
> > >
> > > -----------------------------------------------------------------------
> > >- The opinions expressed in this message are mine,
> > > not those of Caltech, JPL, NASA, or the US Government.
> > > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> >
> > --
> > Stefan Gohmann Entwicklung gohmann@univention.de
> > Univention GmbH Linux for your Business fon: +49 421 22 232- 0
> > Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22 232-99
> > http://www.univention.de
--
Stefan Gohmann Entwicklung gohmann@univention.de
Univention GmbH Linux for your Business fon: +49 421 22 232- 0
Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22 232-99
http://www.univention.de